ControlParameter
Four types of control parameters are supported.
-
AllowedRegions: List of AWS Regions exempted from the control. Each string is expected to be an AWS Region code. This parameter is mandatory for the OU Region deny control, CT.MULTISERVICE.PV.1.
Example:
["us-east-1","us-west-2"] -
ExemptedActions: List of AWS IAM actions exempted from the control. Each string is expected to be an IAM action.
Example:
["logs:DescribeLogGroups","logs:StartQuery","logs:GetQueryResults"] -
ExemptedPrincipalArns: List of AWS IAM principal ARNs exempted from the control. Each string is expected to be an IAM principal that follows the pattern
^arn:(aws|aws-us-gov):(iam|sts)::.+:.+$Example:
["arn:aws:iam::*:role/ReadOnly","arn:aws:sts::*:assumed-role/ReadOnly/*"] -
ExemptedResourceArns: List of resource ARNs exempted from the control. Each string is expected to be a resource ARN.
Example:
["arn:aws:s3:::my-bucket-name"]
Contents
- Name
-
The parameter name. This name is the parameter
keywhen you callEnableControlorUpdateEnabledControl.Type: String
Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
